-
ABP Framework version: v9.0.5
-
UI Type: Angular
-
Database System: EF Core, SQL Server,
-
Tiered (for MVC) or Auth Server Separated (for Angular): Yes
Both existing users and new registering users when using SSO are now forced to add a password as of version 9. This seems to be an undocumented breaking change. It also seems to ignore some configuration options (which I believe to be a bug).
This code used in both Login.cshtml.cs and Register.cshtml.cs, which redirects to the change password page only looks at the "EnableLocalLogin" setting.
-
If I were to disable EnableLocalLogin this I would not be able to have login/registration with a username/password for anyone.
-
VerifyPasswordDuringExternalLogin setting seems to have no baring on this at all, but the addition of be below code seems to be there to facilitate it.
-
The only way to prevent this behaviour is to override the entire sections of RegisterModel.OnPostInternal and LoginModel.OnGetExternalLoginCallbackAsync and commenting out the below.
-
This is a breaking change moving from ABP 8 to 9
This is a fundamental change in the behaviour of the login flow, why would anyone want to enter a password using SSO? It should be configurable.
I've laid this out very clearly as such that I've seen the duplicate closed thread on this matter where the customer was told to override the entire login/reg page. I believe this was not the correct course of action. They also were told that "We have not changed the login/register code recently.", this code was added in version 9.
if (await SettingProvider.IsTrueAsync(AccountSettingNames.EnableLocalLogin))
{
var user = await UserManager.FindByLoginAsync(loginInfo.LoginProvider, loginInfo.ProviderKey);
if (user != null && user.PasswordHash == null)
{
await StoreChangePasswordUser(user);
return RedirectToPage("./ChangePassword", new {
returnUrl = ReturnUrl ?? "/",
returnUrlHash = ReturnUrlHash
});
}
}
5 Answer(s)
-
0
Hi, actually it's configurable, we updated our Account Module Pro documentation about this change. Please refer to https://abp.io/docs/9.1/modules/account-pro#social-account-security-setting.
-
0
Thanks for your response!
I've tried the setting "VerifyPasswordDuringExternalLogin", as I said above in point 2. It didn't have any effect, so I checked the source, it is only referenced in one place LoginModel.ShouldAskUserPasswordAsync, to choose if they should enter their existing password. Not to choose if they should be required to create one.
if (!await SettingProvider.IsTrueAsync(AccountSettingNames.VerifyPasswordDuringExternalLogin)) { return null; } if (user.PasswordHash != null) { return RedirectToPage("./ExternalPasswordLogin", new { returnUrl = ReturnUrl, returnUrlHash = ReturnUrlHash }); }
-
0
hi
We will change this in the next 9.0.x patch version.
Sorry for that.
-
0
Thank you for sorting this! 😀
-
0
Your ticket has been refunded.
Thank you.